Tool execution using the HPC-friendly container technology Singularity
is now supported. Custom containers can be specified by the Galaxy admin on a per job destination basis
or standardized containers corresponding to Conda requirements can be built or downloaded automatically
using the mulled toolkit built into Galaxy (just like is possible for Docker). For more information
checkout this presentation from the 2017 Galaxy Community Conference.
Pull Request 4175

The 17.09 Galaxy version includes many security patches. Per our new Security Policy some of these have been
applied to Galaxy releases going back 12 months.

Details of the vulnerabilities that have been backported can be found in the Security patch details
section of these release notes. Some issues have only been addressed in 17.09, for this reason
if security is important to your Galaxy instance we strongly recommend upgrading to this latest release
as soon as possible.

If you maintain a publicly accessible Galaxy please consider signing up for this mailing list to receive the future security patches in advance of the public disclosure.

A medium severity security vulnerability in Galaxy Data Libraries was
recently discovered by Jelle Scholtalbers.
This vulnerability allows the following unauthorized actions:

Any user that has been granted the permission to add datasets to a
library, library folder, or to modify an existing library dataset (an
“authorized user”), is able to import any file on the system that is
readable by the user running the Galaxy server.

Anyone can create libraries and library folders (but not add datasets to them)

The fix for this issue has been applied to Galaxy releases back to 16.07 and can be found in this commit

A high severity security vulnerability was recently discovered in Galaxy
Interactive Environments (GIEs) by the Galaxy Committers Team. Anyone with
a Galaxy account can exploit this vulnerability to execute arbitrary code
on the Galaxy server as the user running the Galaxy server process.

The vulnerability only affects Galaxy servers on which Galaxy Interactive
Environments are enabled (by setting the
interactive_environment_plugins_directory
option in galaxy.ini). Because the vulnerability can be exploited to
execute arbitrary code, the impact for affected servers is severe.

Administrators of Galaxy servers where GIEs are enabled should update
immediately.

The fix for this issue has been applied to Galaxy releases back to 17.05 and can be found in this commit

A medium severity security vulnerability in tools utilizing the Galaxy data
source protocol was recently discovered by the Galaxy Committers Team.
Anyone who is able to run an external data source tool can access
any file that is readable by the user running Galaxy jobs
on the host where the job runs.

Many such “external data source” tools are provided with the Galaxy
distribution and are enabled by default (most tools under the “Get Data”
section of the tool panel), meaning that its exploitability is fairly high,
as only one such tool needs to be enabled to be vulnerable, including any
custom data source tools (any tool that uses
tools/data_source/data_source.py).
What files are readable depends entirely upon what the job’s user has
access to read on the host(s) where jobs run.

The fix for this issue has been applied to Galaxy releases back to 16.07 and can be found in this commit